On Tue, Jan 23, 2001 at 10:51:27AM +0000, Ben Laurie wrote:
> Lutz Jaenicke wrote:
> >
> > On Mon, Jan 22, 2001 at 04:41:41PM -0800, Nagaraj Bagepalli wrote:
> > > Thanks for your response. If I understand this correctly, certificate
> > > is stored in the session table so that application can retrieve it
> > > in the resumed connections (in case it needs it), but from the ssl
> > > protocol point of view client certificate is not used any where
> > > other than establishing the new session..
> >
> > No, it is not used in the handshake again (that's why it must be kept inside
> > the stored session).
>
> IIRC the client certificate is _not_ stored in the session (at least, it
> used not to be - Apache-SSL has to work around this in its own caching).
At least in actual versions it is stored. I don't know whether this
feature is missing in older versions, but Postfix/TLS uses this feature
(disk based session caching) since September 1999.
Just checked the CVS archive, i2d_SSL_SESSION handles the peer since
1.1 (the initial OpenSSL check in dated Dec 21, 1998).
There was/is a bug with respect to the verify_result:
In older versions, the certificate was stored but is verified again, when
reused. Due to the default setting, verify_result became X509_V_OK in any
case for reused sessions...
* For the server side this bug was fixed in 0.9.5.
* For the client side this bug is still present in 0.9.6 but has been
fixed in CVS and will hence be fixed in 0.9.7 (or 0.9.6a if/when released).
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
